SOLVED

ASC - Azure Defender for SQL - Is it possible to Target Specific Resources for protection?

%3CLINGO-SUB%20id%3D%22lingo-sub-2414637%22%20slang%3D%22en-US%22%3EASC%20-%20Azure%20Defender%20for%20SQL%20-%20Is%20it%20possible%20to%20Target%20Specific%20Resources%20for%20protection%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2414637%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20evening%20all!%3C%2FP%3E%3CP%3EI%20have%20have%20Azure%20defender%20for%20%22SQL%20servers%20on%20machines%22%20enabled%20on%20my%20primary%20Log%20Analytics%20workspace...%3C%2FP%3E%3CP%3EI%20have%20discovered%20that%20instances%20of%20SQL%20running%20on%20developer%20machines%20and%20other%20instances%20that%20I%20prefer%20not%20to%20monitor%20and%20be%20billed%20for%20in%20ASC%20have%20been%20included.%20I%20would%20prefer%20to%20stop%20%22protecting%22%20them%20and%20target%20only%20a%20specific%20set%20of%20SQL%20instances%20in%20my%20workspace...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EWill%20%22Solution%20targeting%22%20within%20the%20SQLAdvancedThreatProtection%20and%20SQLVulnerabilityAssessment%20solutions%20within%20that%20workspace%20allow%20me%20to%20scope%20coverage%20and%20then%20eliminate%20the%20meter%20charges%20in%20Azure%20for%20the%20defender%20security%20services%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EIs%20there%20an%20alternative%20approach%20I%20am%20missing%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20time%20and%20consideration%2C%20and%20I%20think%20this%20product%20is%20AMAZING!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2422144%22%20slang%3D%22en-US%22%3ERe%3A%20ASC%20-%20Azure%20Defender%20for%20SQL%20-%20Is%20it%20possible%20to%20Target%20Specific%20Resources%20for%20protection%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2422144%22%20slang%3D%22en-US%22%3E%3CP%3Eto%20add%20additional%20clarification...%26nbsp%3B%20The%20machines%20that%20I%20would%20like%20to%20exclude%20from%20scope%20are%20connected%20to%20the%20ASC%20monitored%20workspace%20and%20not%20using%20the%20ARC%20agent.%26nbsp%3B%20I%20would%20prefer%20to%20leave%20the%20machines%20connected%20to%20the%20workspace%20while%20excluding%20them%20from%20the%20protection%20scope%20of%20Azure%20defender%20for%20%22sql%20servers%20on%20machines%22.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2422642%22%20slang%3D%22en-US%22%3ERe%3A%20ASC%20-%20Azure%20Defender%20for%20SQL%20-%20Is%20it%20possible%20to%20Target%20Specific%20Resources%20for%20protection%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2422642%22%20slang%3D%22en-US%22%3EHi%20Austin%2C%20thanks%20for%20your%20kind%20words!%20%3CBR%20%2F%3E%3CBR%20%2F%3ECurrently%2C%20there%20are%20two%20ways%20to%20target%20resources%20with%20a%20finer%20resolution%20than%20subscriptions%3A%20%3CBR%20%2F%3E1.%20using%20a%20custom%20workspace%20managing%20those%20resources%20separately%20%3CBR%20%2F%3E2.%20solution%20targetting%20%3CBR%20%2F%3ESo%20in%20your%20case%20seems%20indeed%20that%20solution%20targeting%20is%20the%20best%20option.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Good evening all!

I have have Azure defender for "SQL servers on machines" enabled on my primary Log Analytics workspace...

I have discovered that instances of SQL running on developer machines and other instances that I prefer not to monitor and be billed for in ASC have been included. I would prefer to stop "protecting" them and target only a specific set of SQL instances in my workspace...

 

Will "Solution targeting" within the SQLAdvancedThreatProtection and SQLVulnerabilityAssessment solutions within that workspace allow me to scope coverage and then eliminate the meter charges in Azure for the defender security services?

Is there an alternative approach I am missing?

 

Thank you for your time and consideration, and I think this product is AMAZING!

5 Replies

to add additional clarification...  The machines that I would like to exclude from scope are connected to the ASC monitored workspace and not using the ARC agent.  I would prefer to leave the machines connected to the workspace while excluding them from the protection scope of Azure defender for "sql servers on machines".

best response confirmed by Austin Ayers (Occasional Contributor)
Solution
Hi Austin, thanks for your kind words!

Currently, there are two ways to target resources with a finer resolution than subscriptions:
1. using a custom workspace managing those resources separately
2. solution targetting
So in your case seems indeed that solution targeting is the best option.



@mimakh  Thanks for your feedback... do you know, would it be BOTH solution related to SQL within the workspace?

 

Marked @mimakh as best response though it would be helpful for confirmation on my latest question, and might be helpful if the response were documented. ie: which solutions should be targeted so as to avoid the "protection" and "assessment".

Hi Austin,

To avoid "protection" you should target SQLATP, for "assessment" SQLVA should be targeted. Please note that if you want to stop protecting your machines, you will have to target both solutions, as they are related to Azure Defender for SQL,